Happy Halloween: RIP to the HIPAA Privacy Rule?

As we settle into spooky season, let’s take a minute to consider a recent development in health care privacy as we ask ourselves, is this a trick or a treat?

The Texas Attorney General (AG) recently filed a lawsuit against the U.S. Department of Health and Human Services (HHS), the Secretary of HHS, and the Director of HHS alleging that HHS exceeded its statutory authority when issuing the HIPAA Privacy Rule to Support Reproductive Health Care Privacy Final Rule in April (“2024 Reproductive Privacy Rule,” 89 Fed. Reg. 32976). In asking for remedies, the Texas AG challenges all of the 2000 HIPAA Privacy Rule (65 Fed. Reg. 82462), although elsewhere in the complaint the AG indicates an intent to more narrowly challenge only the portion of the rule that addresses disclosures to state investigators.1

The Texas AG is asking the court to declare that the 2000 Privacy Rule and the 2024 Reproductive Privacy Rule violate the Administrative Procedures Act and to vacate, set aside, and enjoin enforcement of the Rules. Did a black cat just walk under a ladder, or is this all a bunch of hocus pocus?

2024 Reproductive Privacy Rule

Earlier this year, the Quarles privacy webinar discussed the 2024 Reproductive Privacy Rule and we include a high-level summary of key points as background:

  • In June, the 2024 Reproductive Privacy Rule went into effect, prohibiting the use or disclosure of protected health information to conduct an investigation or to impose liability (or to identify any person for those reasons) if for the mere act of seeking, obtaining, providing, or facilitating reproductive health care.
  • The 2024 Reproductive Privacy Rule requires an attestation from the requestor before PHI relating to reproductive health care is disclosed for health oversight activities, judicial and administrative proceedings, law enforcement purposes, or to coroners and medical examiners. The requestor must attest that the use or disclosure would not be for a prohibited purpose, and it must be signed with the requester’s understanding that obtaining PHI in violation of HIPAA is a crime.

The 2024 Reproductive Privacy Rule followed the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization, which held that there is no constitutional right to an abortion, thereby permitting states to regulate or restrict abortion. HHS explains that it promulgated the 2024 Reproductive Privacy Rule after “hearing from communities that changes were needed to better protect patient confidentiality and prevent medical records from being used against people for providing or obtaining lawful reproductive health care.” Specifically, the 2024 Reproductive Privacy Rule is meant to provide patients assurance in the confidentiality of their health care records and conversations with their health care providers, promoting an open communication between patients and their health care providers that is needed for the provision of health care.

The 2024 Reproductive Privacy Rule has a compliance date of December 23, 2024, with Notices of Privacy Practices to be updated by February 16, 2026.

Texas AG Lawsuit

The Texas AG asserts in its complaint that HHS exceeded its authority in limiting the documents that medical providers may produce to a state law enforcement agency. Specifically, the Texas AG argues that (1) HIPAA explicitly preserves state investigative authority, such that the 2000 and 2024 Rules are contrary to the statute, and (2) HIPAA did not give HHS authority to promulgate rules limiting how regulated entities may share information with state investigators. The Texas AG further asserts that the Rules are “arbitrary and capricious.” Do you sense the ghost of the tracking technologies guidance challenge? Could be; both cases were brought in the federal court for the Northern District of Texas, after all.

The complaint also asserts that Texas has been harmed by the HIPAA Rules because it has thwarted the State’s investigative abilities giving HIPAA covered entities the ability to not comply with administrative subpoenas. Texas is requesting that this harm be corrected by vacating the HIPAA Rules and enjoining enforcement by HHS.

So What’s Next?

Entities subject to HIPAA should continue to prepare for the December 23, 2024 compliance deadline for the 2024 Reproductive Privacy Rule until such time as a court enters an order delaying or preventing enforcement. However, it is important to keep an eye on this litigation so you are not spooked by the outcome.

After consultation with our privacy witches and their crystal ball, we do not expect to see much, if any, progress until after the presidential election, the results of which may determine whether HHS will even defend against this litigation. This is the broadest attack on HIPAA since it was promulgated. In a post-Loper Bright world, where Chevron deference is murky at best, it will be interesting to see how the Northern District of Texas will interpret HHS’s broad authority to issue privacy regulations under Section 264(c) of HIPAA.

We will continue to track this litigation, and you can stay up to date on progress with our Health Privacy and Security email list. In the meantime, don’t be afraid to say BOO and raise the potential for a transformation in HIPAA regulations within your enterprise. We’ll be forming a calming circle.

“Come, we fly!”—Winifred Sanderson

END NOTES


1 The Texas AG’s Demand for Relief (page 16 of the Complaint) asks the court to vacate and set aside the entirety of the 2000 Privacy Rule; however, in the second paragraph of the Complaint, the Texas AG explains that the lawsuit challenges the portion of the 2000 Privacy Rule that addresses disclosures of health information to state investigators (45 C.F.R. § 164.512(f)(1)(ii)(C)). We expect this ambiguity to be resolved by amended pleadings.